• Effective immediately we will be deleting, without notice, any negative threads or posts that deal with the use of encryption and streaming of scanner audio.

    We've noticed a huge increase in rants and negative posts that revolve around agencies going to encryption due to the broadcasting of scanner audio on the internet. It's now worn out and continues to be the same recycled rants. These rants hijack the threads and derail the conversation. They no longer have a place anywhere on this forum other than in the designated threads in the Rants forum in the Tavern.

    If you violate these guidelines your post will be deleted without notice and an infraction will be issued. We are not against discussion of this issue. You just need to do it in the right place. For example:
    https://forums.radioreference.com/rants/224104-official-thread-live-audio-feeds-scanners-wait-encryption.html

Can you track a DTR or Nextel i355?

Status
Not open for further replies.
Joined
May 7, 2004
Messages
3,758
Location
RLG, Fly heading 053, intercept 315 DVV
#1
I was wondering. With the right plugin for AirSpy and SDR# you can scan a very high bandwidth. Would it be possible to track the one half second frequency hop of a DTR radio or a Nextel i355 that uses the same technique? If it can follow the hops what about the VSELP modulation? Can you decode that?

Thanks!
 
Joined
May 19, 2014
Messages
409
Location
Nassau County
#3
DTR i would say most likely no
Thats comparable to trying to break encryption

i355 on the other hand i suppose its possible to see what frequencies are being used on a SDR or service monitor type thing
I also heard some rumor that theres either a particular Motorola radio or a type of way you can set up a i355 where you would be able to monitor iden talkgroups, etc
Again its a rumor dont quote me on it but i have seen iDen systems in the database mapped out with talkgroups and all so it could be somehow possible..


.
 
Joined
Jul 18, 2014
Messages
8,884
Location
PA
#5
Following the frequency hopping is possible if the hop pattern is known, i.e. follows a specific, static pattern. But if a secret key is used to generate the hop pattern, then you'd have to either know the key (maybe legal, depending on how you got it), or crack the encryption (possibly illegal, maybe impossible).

Any known modulation scheme can be demodulated in software, if the SDR can receive the frequency range has enough bandwidth to receive the entire signal simultaneously. For example, a RTL SDR can decode broadcast stereo FM, which uses 100KHz of bandwidth between 88-108MHz. But it cannot decode Wi-Fi for 2 reasons:
1. Wi-Fi uses a higher frequency range than can be received by the RTL SDR (2.4GHz, vs 1.7GHz upper limit for the RTL SDR), and

2. Wi-Fi channels are 20-40MHz wide, and the RTL SDR can only receive 2-3MHz of bandwidth at a time.

You would need to know the details of the hop algorithm, including whether or not some kind of user-defined key is used to generate the hop sequence.

Your SDR would have to be able to retune fast enough to follow the hops. That might require 2 SDR receivers, alternating between retuning to the next hop frequency and listening to the signal.

Your SDR(s) need to be able to receive the entire signal modulation bandwidth, but do not need to receive all possible hop frequencies simultaneously.

Lastly, you need software that can take the digital data from the SDR(s) and decode it properly. This may or may not currently exist.
 
Joined
Oct 15, 2012
Messages
757
#6
My YouTube channel has a troll who seems to expound on the ability to monitor DTR series radios with SDR, but of course no evidence is ever given. VSELP and frequency hopping is a pretty effective method of keeping your radio comms pretty secure from a realistic standpoint.

Your best bet for monitoring DTR radios is to have one yourself. Many onwers/users do not put in a private channeland use the default "Private1" setting. I have used SDR to see that they are in use, but they can't monitor them.

What is easily monitored is the analog frequency hopping eXRS radios. I have used several mobile and handheld scanners to listen to these. They are not built as well and I would not recommend them.

Nextel i335, I have not tried. Although I did have some older mobile Nextel gear that was able to be used after their push to talk network was rebanded.
 
Joined
May 7, 2004
Messages
3,758
Location
RLG, Fly heading 053, intercept 315 DVV
#7
DTR i would say most likely no
Thats comparable to trying to break encryption
I'm referring to these. dtr radio | eBay

Both the Motorola DTR radio and the old Nextel i355 phones use the same scheme in that they use FHSS in the 900 MHz band and VSLEP for modulation. The only difference would be the output wattage between the two and perhaps the hop rate, The DTR is 1 watt, while the Nextel is like 750 mW if I can remember. But I gotta tell you. I got pretty good range with those Nextel's.

I just wonder how much of a bandwidth the radios use? If it's within the bandwidth that a SDR can auto tune to then all I would need to do is decode VSLEP.

Which brings me to another question: Is VSLEP just VSLEP or is there like different versions of VSLEP in its self. I thought I read about a SDR decoding VSLEP that was used for public safety. But I can't remember the system name they used.


Edit-

Here's an old thread. http://forums.radioreference.com/tavern-archives/43865-motorola-dtr-650-550-anyone.html

I also read the hop rate for the DTR is 90 ms. I wonder if they use the entire ISM band? That would definitely be out of the scope for a SDR.

Edit 2-

The manual for the DTR states that it's just using the ISM band which would be 26 MHz spread and 8 level FSK. The channel spacing is 50 KHz.
 
Last edited:
Joined
May 7, 2004
Messages
3,758
Location
RLG, Fly heading 053, intercept 315 DVV
#8
I read that a user was able to use SDR# and a plugin (of which I can't remember) I think it was a scanner-like plugin where you can filter out birdies and what have you and scan large swaths of spectrum. This would be useful and scan the entire 26 MHz ISM band.

Edit-

Here it is! http://www.rtl-sdr.com/sdr-frequency-scanner-plugin-updated/

That is awesome! The user on this forum that talked about this was able to scan the entire Mil-air band in like 2 seconds or less. :lol:
 
Joined
Jul 18, 2014
Messages
8,884
Location
PA
#9
With SDR# and a $20 RTL SDR stick, I can scan about 10MHz/second. SDR# comes with the scanner plugin now. You have to tweak the default scanning settings to get it to scan that fast, but it's better than anything else in the price range for scanning an entire band for active frequencies. It even logs activity to a MySQL database for further analysis.
 
Joined
Jul 18, 2014
Messages
8,884
Location
PA
#10
I also read the hop rate for the DTR is 90 ms. I wonder if they use the entire ISM band? That would definitely be out of the scope for a SDR.

Edit 2-

The manual for the DTR states that it's just using the ISM band which would be 26 MHz spread and 8 level FSK. The channel spacing is 50 KHz.
Monitoring the DTR with SDR is possible then, with the following caveats:

1. You'll have to figure out the FHSS hop scheme to retune the SDR for each hop. This may require "leapfrogging" 2 SDRs, so that one is receiving the current freq, while the other is retuning to the next freq. If there are any user-settable parameters that affects the hop pattern, you'll need to know those parameters.

2. You'll either need to find or write some code to decode the VSLEP audio from the SDR data.
 
Joined
Aug 3, 2013
Messages
124
Location
Heflin, AL
#11
It has been a while since I fooled with either the DTR or Nextel phones. But, I do remember looking at one transmit on a spectrum analyzer. They don't use the entire 26 MHz, but I don't remember exactly how much they do use. I believe it is stated in some of the limited technical data available. Seems like there are different groups of frequencies and different hopping patterns. These are mixed together to form the "groups"and "channels"used by these devices to keep them from interfering or being heard by the wrong radio. Though they use similar technology, the two won't communicate with each other. I bought a couple of the DTRs off eBay and played around with them a little. I didn't care for them. Same goes for the retired Nextels. A pair of FRS radios suits my needs much better. It might be possible to intercept and listen to these things, but why bother? Sounds like a lot of trouble for very small returns on your investment of time and effort.
 
Joined
Jul 22, 2009
Messages
344
#12
I was wondering. With the right plugin for AirSpy and SDR# you can scan a very high bandwidth. Would it be possible to track the one half second frequency hop of a DTR radio or a Nextel i355 that uses the same technique? If it can follow the hops what about the VSELP modulation? Can you decode that?

Thanks!
No. The problem is go and look at 902-928 it is full of frequency hopping emitters. How do you tell which is the DTR transmitting amongst the clutter of FH traffic in that band?

DTR/i3555 is hiding in plain sight.
 
Joined
Dec 31, 2005
Messages
1,717
#13
I've noticed the only couple of places that I noticed using DTR radio were just using public group channels.

It's been years since I toyed with these, but I tested a near field receiver against a DTR550. After the 3 Nextel type beeps there is data sent to the other radios. Some of which likely just confirms another radio is in range, but I'd assume data containing hop set information and radio ID's/group #'s should be in there too.

It might be easier to try to decode the data burst then program the necessary info in a DTR radio instead of trying to decode a FH VSELP signal.
 
Joined
Jul 22, 2009
Messages
344
#14
The trick is check your near field reciever with users on DTRs 350 feet away.

When I was looking at the entire spectrum 902-928 you would not be able to discern the DTR traffic from all the other FH activity. it blends right in since that ISM band is full of transmitters.
 
Joined
Dec 31, 2005
Messages
1,717
#16
Maybe buying a DTR radio for test purposes and trying to capture the pre voice frame signalling data and attempting to make sense of it would be the best way to go.

It is sent immediately after the tx beeps.

If you could somehow create a disc tap and by means unknown to me, try to read the data on a scope. Also, I believe they only use 50 non overlapping hop sets.

The hop dwell time is sufficient enough for a decent capture, but you need to be close in.

The defunct eXRS radios were much easier to eavesdrop on because they used analog NFM and a very slow hop rate of ~4 hops per second. But these radios didn't take off due to sync issues.
 
Joined
Feb 17, 2003
Messages
1,122
Location
Nashua, NH
#17
https://fccid.io/AZ489FT5852

I own 6 factory brand new DTR650 radios. Radios and batteries were manufactured in October, 2016. They are working excellent have have replaced my use of GMRS for local on-site simplex type use. I migrated my local simplex operations from GMRS/FRS to the DTRs. I set up a private talkgroup for them so they are unmonitorable by any other DTR or DLR that are not a member of the group. The DTRs and DLRs use an ID based system and each radio has its own unique 11 digit electronic serial number (ESN) as its radio ID. The ID cannot be changed by the end user or through programming with the CPS. So while not encrypted, DTRs and DLRs can be made very secure by using private 1 to 1 calling and private groups. Monitoring these would require capturing the hopping and decoding the VSELP digital. DTRs and DLRs might be able to be monitored by using old iDEN test equipment from Motorola.

I have monitored some DTR and DLR traffic on Public groups 1-6 on hopset #1. Public groups 1-6 on hopset #1 map to channels 1-6 in the DLRs with Profile 0000 (default). DTRs and DLRs will work with each other right out of the box with both at their factory default programming. Setting up private contacts and private groups requires using the Business Radio CPS, a free download from Motorola.
 

Attachments

Last edited:
Status
Not open for further replies.
Top